ae23c9
From b373cd31bd40fff153ecbeb4695b8667db28e4e0 Mon Sep 17 00:00:00 2001
ae23c9
From: Xiao Wang <jasowang@redhat.com>
ae23c9
Date: Fri, 11 Jan 2019 07:58:57 +0000
ae23c9
Subject: [PATCH 02/11] rtl8139: fix possible out of bound access
ae23c9
MIME-Version: 1.0
ae23c9
Content-Type: text/plain; charset=UTF-8
ae23c9
Content-Transfer-Encoding: 8bit
ae23c9
ae23c9
RH-Author: Xiao Wang <jasowang@redhat.com>
ae23c9
Message-id: <20190111075904.2030-3-jasowang@redhat.com>
ae23c9
Patchwork-id: 83975
ae23c9
O-Subject: [RHEL8 qemu-kvm PATCH 2/9] rtl8139: fix possible out of bound access
ae23c9
Bugzilla: 1636784
ae23c9
RH-Acked-by: Thomas Huth <thuth@redhat.com>
ae23c9
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
ae23c9
RH-Acked-by: Jens Freimann <jfreimann@redhat.com>
ae23c9
RH-Acked-by: Maxime Coquelin <maxime.coquelin@redhat.com>
ae23c9
RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
ae23c9
ae23c9
In rtl8139_do_receive(), we try to assign size_ to size which converts
ae23c9
from size_t to integer. This will cause troubles when size_ is greater
ae23c9
INT_MAX, this will lead a negative value in size and it can then pass
ae23c9
the check of size < MIN_BUF_SIZE which may lead out of bound access of
ae23c9
for both buf and buf1.
ae23c9
ae23c9
Fixing by converting the type of size to size_t.
ae23c9
ae23c9
CC: qemu-stable@nongnu.org
ae23c9
Reported-by: Daniel Shapira <daniel@twistlock.com>
ae23c9
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
ae23c9
Signed-off-by: Jason Wang <jasowang@redhat.com>
ae23c9
(cherry picked from commit 1a326646fef38782e5542280040ec3ea23e4a730)
ae23c9
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
ae23c9
---
ae23c9
 hw/net/rtl8139.c | 8 ++++----
ae23c9
 1 file changed, 4 insertions(+), 4 deletions(-)
ae23c9
ae23c9
diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
ae23c9
index 05453e7..0c916b7 100644
ae23c9
--- a/hw/net/rtl8139.c
ae23c9
+++ b/hw/net/rtl8139.c
ae23c9
@@ -817,7 +817,7 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, const uint8_t *buf, size_t
ae23c9
     RTL8139State *s = qemu_get_nic_opaque(nc);
ae23c9
     PCIDevice *d = PCI_DEVICE(s);
ae23c9
     /* size is the length of the buffer passed to the driver */
ae23c9
-    int size = size_;
ae23c9
+    size_t size = size_;
ae23c9
     const uint8_t *dot1q_buf = NULL;
ae23c9
 
ae23c9
     uint32_t packet_header = 0;
ae23c9
@@ -826,7 +826,7 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, const uint8_t *buf, size_t
ae23c9
     static const uint8_t broadcast_macaddr[6] =
ae23c9
         { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
ae23c9
 
ae23c9
-    DPRINTF(">>> received len=%d\n", size);
ae23c9
+    DPRINTF(">>> received len=%zu\n", size);
ae23c9
 
ae23c9
     /* test if board clock is stopped */
ae23c9
     if (!s->clock_enabled)
ae23c9
@@ -1035,7 +1035,7 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, const uint8_t *buf, size_t
ae23c9
 
ae23c9
         if (size+4 > rx_space)
ae23c9
         {
ae23c9
-            DPRINTF("C+ Rx mode : descriptor %d size %d received %d + 4\n",
ae23c9
+            DPRINTF("C+ Rx mode : descriptor %d size %d received %zu + 4\n",
ae23c9
                 descriptor, rx_space, size);
ae23c9
 
ae23c9
             s->IntrStatus |= RxOverflow;
ae23c9
@@ -1148,7 +1148,7 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, const uint8_t *buf, size_t
ae23c9
         if (avail != 0 && RX_ALIGN(size + 8) >= avail)
ae23c9
         {
ae23c9
             DPRINTF("rx overflow: rx buffer length %d head 0x%04x "
ae23c9
-                "read 0x%04x === available 0x%04x need 0x%04x\n",
ae23c9
+                "read 0x%04x === available 0x%04x need 0x%04zx\n",
ae23c9
                 s->RxBufferSize, s->RxBufAddr, s->RxBufPtr, avail, size + 8);
ae23c9
 
ae23c9
             s->IntrStatus |= RxOverflow;
ae23c9
-- 
ae23c9
1.8.3.1
ae23c9